Cyber Risk underwriters have recently become more focused on the data security practices for portable media such as laptops, thumb drives and smart phones. Underwriters expect accounts with highly confidential data to use best practice to help mitigate the exposure. In particular, we are seeing underwriters review encryption practices more closely.
Hackers are becoming increasingly successful in breaching security measures at both large and smaller companies. The methods have moved beyond traditional hacking to more creative approaches such as direct theft of security information.
A data breach occurs when personally identifiable information, such as names and credit card numbers, are exposed to third parties. A breach can occur in a variety of ways, from a hacker obtaining unauthorized access to a system to the loss of a thumb drive containing confidential information. The loss of portable media with confidential information is considered a breach even if it is not known whether a hacker has obtained the information.
Many jurisdictions have passed laws and regulations requiring notice to regulators and to individuals whose information may be compromised when a breach occurs. The notifications costs and the adverse publicity are significant. A loss of data has to be reported to regulators and notifications sent to every individual whose information was compromised even if the data is never used by a third party
Organizations can protect confidential data through encryption.
Encryption is a process of changing information into a format that is unreadable without a key (or password). It is essentially a coding process that is now being widely used to protect confidential information. Encrypted data is meaningless to a third party without the key.
Some definitions of breach exclude the loss of portable media, such as a laptop, when the confidential data on the portable media is not encrypted.
Because the loss or theft of laptops, thumb drives, iPads, and smartphones occurs frequently, the exposure is significant. One approach to underwriting this exposure is to understand the exposure for each account. Some underwriters will ask detailed questions to assess the exposure, and decline to write certain accounts if encryption is not used for portable media.
Underwriters may ask the following questions:
Other underwriters will simply add wording to restrict or exclude losses from this exposure as follows:
We can help you navigate the Technology E&O/Cyber Risk insurance business.
Tennant Risk Services is a wholesale broker providing professional liability for a wide variety of professional organizations. We offer a broad portfolio of Technology Professional and Cyber Risk products, in many cases customized to meet the specific needs of an individual or group of technology professionals or users. We will provide you with the experience, expertise, and market access that you need and expect to meet your clients’ needs.